April 23, 2024
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – New Windows zero-day exploited in the wild
March 24, 2020Rewterz Threat Alert – HawkEye Keylogger uses COVID19 Advice from WHO
March 24, 2020Rewterz Threat Alert – New Windows zero-day exploited in the wild
March 24, 2020Rewterz Threat Alert – HawkEye Keylogger uses COVID19 Advice from WHO
March 24, 2020
Severity
High
Analysis Summary
An unknown ELF sample was found generating Elknot botnet related network traffic. It was found to be a Trojan-Downloader which utilizes “SHC (Shell script compiler)” technique and propagates through weak SSH credentials. The author appeared to be an old player Icnanker who leaves his QQ number and name in his codes. Icnanker is the first Linux malware family we observed that uses SHC. Icnanker is divided into 2 categories according to their functions:
- Downloader
Downloader is mainly used to facilitate DDos and Mining attacks. Currently its samples include Elknot Botnet, Xor Botnet and XMRMiner. On Icnanker-related HFS servers, we can see that the current download volume is at 20,114, and about 500 increment per day.
- Protector
Protector is used to protect samples from being deleted. It is currently used to protect Mining service.
Icnanker comes with the following capabilities.
- Download and execute specific samples
- Add new users
- Delete system command
- Hide itself
- Persistence
Impact
- Code execution
- Data manipulation
- Detection Evasion
- DDoS
- Mining
Indicators of Compromise
Hostname
- ubt[.]ubtv[.]xyz
- sys[.]jave[.]xyz
- jav[.]jave[.]xyz
- 8uch[.]jave[.]xyz
- 8uc1[.]jave[.]xyz
- xz[.]jave[.]xyz
- 8uc2[.]ubtv[.]xyz
MD5
- 4a3e1ff8cfc0d334550b815b6d82d89e
- 765a0899cb87400e8a27ab572f3cdd61
- 5c90bfbae5c030da91c9054ecb3194b6
- 187fa428ed44f006df0c8232be4a6e4e
- 89cd1ebfa5757dca1286fd925e0762de
- 5790dedae465994d179c63782e51bac1
- d989e81c4eb23c1e701024ed26f55849
- 0764da93868218d6ae999ed7bd66a98e
- eec19f1639871b6e6356e7ee05db8a94
- 6abe83ee8481b5ce0894d837eabb41df
SHA-256
- 6aba3638f630ca61563ad33503d039db4082c389a270263d34bebefe68a31287
- 400bac87f1303e6ed8b85b009454d8b6cd12fe38337119e03a4c7d0cdb130577
- 741c09277639628acaed49e07ed1f17dea12d613336ff3145c8b224bab033215
- 99a5875ce98349a17224569db4fd86fab9277bca1462744bd3b0ae227ee96e8a
- eebd1648a3d603a26f4c9de11f1ac68e110573388d22a5a65b9daf50116bc5c5
- 2c311b145c1c8e41cf72db978b554f82534a5e3ec6cce5a29d5988d57dbe5fb1
- 4da20ce9dbac55cdddb3497153cf04062347be20a541e8096b42b6094340b5e1
- cf144edc695e4cd84189e4e7230b5cfa7a0a5fb1a15aa397ec8ba085446e245a
- aec62371dbc7e7338c99b0cbc5f09f037d4ebacbfcfad9e844ba71f5053a4d23
- 398b8988661a37761c490bb85c7454bd20f6469b821cbf6d97751348d7cf30c5
URL
- http[:]//xz[.]jave[.]xyz/[.]xm
- http[:]//xz[.]jave[.]xyz/mr[.]tar
- http[:]//xz[.]jave[.]xyz[:]22345/[.]xm
- http[:]//xz[.]jave[.]xyz[:]22345/[.]xm1
- http[:]//jav[.]jave[.]xyz[:]6001
- http[:]//8uc1[.]jave[.]xyz[:]1987
- http[:]//ubt[.]ubtv[.]xyz[:]19880
- http[:]//8uch[.]jave[.]xyz[:]3478
- http[:]//8uc2[.]ubtv[.]xyz[:]2987
- http[:]//xz[.]jave[.]xyz[:]22345
- http[:]//sys[.]jave[.]xyz[:]1764
Remediation
- Block the threat indicators at their respective controls.
- Use unique and strong credentials and implement multi-factor authentication.